268
◾
Ethical Hacking and Penetration Testing Guide
Compromising Other Hosts on the Network Having the Same Password
It is a very common practice for network administrators to use the same password across multiple
hosts on the network. A vulnerability in the security architecture of Windows allows us to use the
password hashes to log in to other hosts on the same network having the same password. The rea-
son this is not possible in Linux is that it has a unique salt for each user’s hash, whereas in Windows
we don’t have a salt added to the hashes. This vulnerability comes in handy where we are unable to
crack Windows hashes and use its password hashes to gain access to other systems on the network.
Inside of Metasploit, we have a module named psexec that can be used to pass the credentials
to exploit the system. The first step would obviously be to dump the password hashes. In armitage
we can do it by moving into the
access->Dump Hashes
→
Isass method
. The isass
method would use the hashdump script to dump the password hashes.
You can then view the credentials by navigating to “Credentials” from the “view” menu at
the top.
Now that we have multiple hashes here, we can use the “Pass the Hash” feature inside of armit-
age, which will use the
smb _ login
auxiliary to check if one of our credentials is valid or not.
You can launch it by going to Attack
→
smb
→
Pass the Hash. A dialogue box with the credentials
that we dumped from our target would appear. We can either choose a particular credential to test
or check all credentials to test. In this case let’s check all the credentials:
Postexploitation
◾
269
For the sake of the demonstration, we will test on the same target that we exploited. In the real
world, you would test other targets.
From the picture, we can see that the user “
rafay
” has been authenticated.
psexec
Now that we know that the user “
rafay
” is able to authenticate on the target machine, we will
use the psexec module to exploit the target system. On the Search bar type “psexec” and double
click it to enter the configuration menu. You would need to define the “rhost,” the smb username,
and the LM/NTLM password hash.
The user would be authenticated and you would have a meterpreter session opened.
|